---
layout: docs
page_title: acl Block in Agent Configuration
description: >-
   Configure Nomad's Access Control List (ACL) system behavior in the `acl` block of a Nomad agent configuration. Enable ACL enforcement, change token replication and expiration values, and tune the cache for token, role, and policy TTLs.
---

# acl Block in Agent Configuration

<Placement groups={['acl']} />

This page provides reference information for configuring Nomad's Access Control List (ACL) system behavior in the `acl` block of a Nomad agent configuration.  Enable ACL enforcement, change token replication and expiration values, and tune the cache for token, role, and policy TTLs.

Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].

```hcl
acl {
  enabled    = true
  token_ttl  = "30s"
  policy_ttl = "60s"
  role_ttl   = "60s"
}
```

## `acl` Parameters

- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
  ACL configuration options depend on this value. All agents should have the
  same value for this parameter. For example the Nomad command line will
  send requests for client endpoints such as `alloc exec` directly to Nomad
  clients whenever they are accessible. In this scenario, the client will
  enforce ACLs, so both servers and clients should have ACLs enabled.

- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
  cached ACL tokens. This does not affect servers, since they do not cache tokens.
  Setting this value lower reduces how stale a token can be, but increases
  the request load against servers. If a client cannot reach a server, for example
  because of an outage, the TTL will be ignored and the cached value used.

- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
  cached ACL policies. This does not affect servers, since they do not cache policies.
  Setting this value lower reduces how stale a policy can be, but increases
  the request load against servers. If a client cannot reach a server, for example
  because of an outage, the TTL will be ignored and the cached value used.

- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
  cached ACL roles. This does not affect servers, since they do not cache roles.
  Setting this value lower reduces how stale a role can be, but increases the
  request load against servers. If a client cannot reach a server, for example
  because of an outage, the TTL will be ignored and the cached value used.

- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
  to use for replicating policies and tokens. This is used by servers in
  non-authoritative region to mirror the policies and tokens into the local
  region from the [`authoritative_region`][authoritative-region]. Setting
  `replication_token` requires that ACLs have been bootstrapped in the
  authoritative region. Refer to [Configure for multiple regions][] in the ACLs
  tutorial.

- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
  TTL value for an ACL token when setting expiration. This is used by the Nomad
  servers to validate ACL tokens and ACL authentication methods.

- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
  TTL value for an ACL token when setting expiration. This is used by the Nomad
  servers to validate ACL tokens and ACL authentication methods.

[secure-guide]: /nomad/tutorials/access-control
[authoritative-region]: /nomad/docs/configuration/server#authoritative_region
[Configure for multiple regions]: /nomad/docs/secure/acl/bootstrap#configure-for-multiple-regions
